Project

Summary

Function MembershipERC1155::initialize() uses the initializer modifier which can only be called once, even when using inheritance ( as per OZ docs -see below link). This limits contracts that want extend/inherit from it inlcuding future upgrades by owner or others. Its recommended that parent contracts should use the onlyInitializing modifier.

From the OZ docs: per OZ docs: https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable

Another difference between a constructor and a regular function is that Solidity takes care of automatically invoking the constructors of all ancestors of a contract. When writing an initializer, you need to take special care to manually call the initializers of all parent contracts. Note that the initializer modifier can only be called once even when using inheritance, so parent contracts should use the onlyInitializing modifier:

If the contract MembershipERC1155 was meant to be not extendible, then it should have used abstract keyword/modifier as such.

Vulnerability Details

Snippets below show the function [MembershipERC1155::initialize() ] which is missing the onlyInitializing modifier.

Impact

This limits future inheritance inlcuding future upgrades by owner or others. If there is ever a need to extend/inherit this contract for any reason, then those inheriting can't make use of OpenZeppelin Upgrades and initializer or _disableInitializers() capabilities (docs link in summary). Also, If the contract MembershipERC1155 was meant to be not inheritable, then it should have used **abstract keyword/modifier **as such.

Tools Used

Manual review.

Recommendations

Add the correct modifier. Snippets below show the function [MembershipERC1155::initialize() ] with the correct onlyInitializing modifier.